Whew! Weehh!! Another week that wazzz
The Week in Ransomware - September 23rd 2022 - LockBit leak
This week we saw some embarrassment for the LockBit ransomware operation when their programmer leaked a ransomware builder for the LockBit 3.0 encryptor.
Running the ransomware builder is simple and quickly creates an
encryptor, private/public encryption keys, and a decryptor by just
running a batch file.
The LockBit 3.0 ransomware builder makes it easy for any would-be threat actor to roll out their own operation simply by modifying the enclosed configuration file to use custom ransom notes.
Ransomware operations were launched in the past from the leaks of the Babuk ransomware builder and Conti source code.
Other research this week shows how the BlackMatter ransomware gang continues to evolve its operation by upgrading its data exfiltration tool for double-extortion attacks.
This week, we also learned more about ransomware attacks, including those on the New York Racing Association and a New York ambulance service.
Contributors and those who provided new ransomware information and stories this week include: @struppigel, @DanielGallagher, @demonslay335, @malwrhunterteam, @Seifreed, @malwareforme, @fwosar, @BleepinComputer, @FourOctets, @billtoulas, @jorntvdw, @PolarToffee, @Ionut_Ilascu, @VK_Intel, @LawrenceAbrams, @serghei, @S2W_Official, @GeeksCyber, @BroadcomSW, @pcrisk, @3xp0rtblog, @vxunderground, @PogoWasRight, @AhnLab_SecuInfo, and @zscaler.
September 17th 2022
New York ambulance service discloses data breach after ransomware attack
Empress EMS (Emergency Medical Services), a New York-based emergency response and ambulance service provider, has disclosed a data breach that exposed customer information.
September 19th 2022
New STOP Ransomware variants
PCrisk found new STOP ransomware variants that append the .aawt, .aabn, .aamv, and .aayu extension.
New Phobos variant
PCrisk found a new Phobos ransomware variant that appends the .duck extension and drops a ransom note named info.txt and info.hta.
New VoidCrypt variant
PCrisk found a new VoidCrypt ransomware variant that appends the .Joker extension and drops a ransom note named Decryption-Guide.txt and Decryption-Guide.HTA.
New VSOP variant
PCrisk found a new VSOP ransomware variant that appends the .minex extension and drops a ransom note named readme.txt.
September 20th 2022
Hive ransomware claims attack on New York Racing Association
The Hive ransomware operation claimed responsibility for an attack on the New York Racing Association (NYRA), which previously disclosed that a cyber attack on June 30, 2022, impacted IT operations and website availability and compromised member data.
New BlackBit ransomware
PCrisk found a ransomware called BlackBit that appends the .BlackBit extension and drops a ransom notes named Restore-My-Files.txt and info.hta.
September 21st 2022
LockBit ransomware builder leaked online by “angry developer”
The LockBit ransomware operation has suffered a breach, with an allegedly disgruntled developer leaking the builder for the gang's newest encryptor.
Technical Analysis of Crytox Ransomware
The threat actor using Crytox ransomware has been active since at least 2020, but has received significantly less attention than many other ransomware families. In September 2021, the Netherlands-based company RTL publicly acknowledged that they were compromised by the threat actor. The company paid Crytox 8,500 euros. Compared with current ransom demands, this amount is relatively low. Unlike most ransomware groups, the Crytox threat actor does not perform double extortion attacks where data is both encrypted and held for ransom.
September 22nd 2022
BlackCat ransomware’s data exfiltration tool gets an upgrade
The BlackCat ransomware (aka ALPHV) isn't showing any signs of slowing down, and the latest example of its evolution is a new version of the gang's data exfiltration tool used for double-extortion attacks.
Quick Overview of Leaked LockBit 3.0 (Black) builder program
Build.bat creates an RSA public/private key pair by executing Keygen.exe, and Builder.exe that generates a LockBit 3.0 ransomware using the generated key pair.
A technical analysis of the leaked LockBit 3.0 builder
This is our analysis of the LockBit 3.0 builder that was leaked online on September 21, 2022.
Ransomware disguised as GTA 6 source code
MalwareHunterTeam found a few ransomware samples pretending to be GTA 6 source code.
New Zeppelin variant
PCrisk found a new Zeppelin ransomware variant that appends the .ORCA extension and drops the HOW_TO_RECOVER_DATA.hta ransom note.
September 23rd 2022
New STOP Ransomware variants
PCrisk found new STOP ransomware variants that append the .ofoq, .ofww, and .oflg extension.
FARGO Ransomware (Mallox) Being Distributed to Vulnerable MS-SQL Servers
The ASEC analysis team is constantly monitoring malware distributed to vulnerable MS-SQL servers. The analysis team has recently discovered the distribution of FARGO ransomware that is targeting vulnerable MS-SQL servers. Along with GlobeImposter, FARGO is one of the prominent ransomware that targets vulnerable MS-SQL servers. In the past, it was also called the Mallox because it used the file extension .mallox.
That's it for this week! Hope everyone has a nice weekend!!
✓✓ This is a developing story ...
YouTube down: Live streams hit by worldwide outage
YouTube is currently experiencing a worldwide outage, with thousands of reports saying they cannot access live streams.
While the company has yet to acknowledge the issue, user reports shared on DownDetector show that most of those affected by this ongoing outage have problems with video streaming and accessing the YouTube website.
When attempting to access YouTube streams, users see black screens with a loading animation and error messages asking to "please try again later."
. . .
Internet monitoring organization NetBlocks also confirmed that YouTube is experiencing a global outage that impacts live streams.
NetBlocks added that this incident is unrelated to "country-level internet disruptions or filtering."
Note: YouTube is experiencing international outages with live streams impacted; incident not related to country-level internet disruptions or filtering #YouTubeDown pic.twitter.com/Jay24MxBlL
— NetBlocks (@netblocks) September 23, 2022
It is unknown at the moment if this is planned maintenance activity, a
problem with YouTube's servers, or if the outage is related to
malicious activity."
READ MORE
TOP ARTICLE This is a developing story and will be updated as more information is revealed.
✓
UK Police arrests teen believed to be behind Uber, Rockstar hacks
The City of London police announced on Twitter today the arrest of a British 17-year-old teen suspected of being involved in recent cyberattacks.
In a short tweet shared by law enforcement, the teen was arrested in Oxfordshire as part of a hacking investigation supported by the UK's National Crime Agency.
"On the evening of Thursday 22 September 2022, the City of London Police arrested a 17-year-old in Oxfordshire on suspicion of hacking, as part of an investigation supported by the @NCA_UK’s National Cyber Crime Unit (NCCU).
He remains in police custody" - City of London Police.
BleepingComputer has reached out to the NCA and City of London police to learn more about this investigation.
NCA referred us to the City of London, stating it was their investigation, while the latter said they have no further information to share and any new information that would be posted on Twitter.
✓✓ BleepingComputer also reached out to the FBI regarding the suspect’s
possible involvement in the Uber attack but has not immediately received
a response. . .
Journalist Matthew Keys says that it was a 17-year-old boy who was arrested over the hack of Rockstar, and likely Uber.
UPDATE: Arrest of 17-year-old by police in the United Kingdom over hack of Rockstar and possibly Uber was done in concert with an investigation conducted by the FBI, according to a source with knowledge of the matter.
— Matthew Keys (@MatthewKeysLive) September 23, 2022
However, as the suspect is a minor, their name cannot be released by law enforcement under UK law."
LATEST ARTICLES
Sophos warns of new firewall RCE bug exploited in attacks
Sophos warned today that a critical code injection security vulnerability in the company's Firewall product is being exploited in the wild.
- September 23, 2022
- 12:36 PM
0
npm packages used by crypto exchanges compromised
Multiple npm packages published by the crypto exchange, dYdX, and used by at least 44 cryptocurrency projects, appear to have been compromised. Powered by the Ethereum blockchain, dydX is a decentralized exchange platform offering perpetual trading options for over 35 popular cryptocurrencies including Bitcoin (BTC) and Ether (ETH).
- September 23, 2022
- 12:31 PM
- 0
Signal calls on users to run proxies for bypassing Iran blocks
Signal is urging its global community to help people in Iran stay connected with each other and the rest of the world by volunteering proxies to bypass the aggressive restrictions imposed by the Iranian regime.
- September 23, 2022
- 11:30 AM
- 0
No comments:
Post a Comment